Java EE 6 Cookbook
for Securing,
Tuning, and
Extending Enterprise
Applications
Packed with comprehensive recipes to secure, tune, and
extend your Java EE applications
Mick Knutson
PUBLISHING
professional expertise distilled
BIRMINGHAM - MUMBAI
Java EE 6 Cookbook for Securing, Tuning,
and Extending Enterprise Applications
Copyright © 2012 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without
warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers
and distributors will be held liable for any damages caused or alleged to be caused directly or
indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt
Publishing cannot guarantee the accuracy of this information.
First published: June 2012
Production Reference: 1180612
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street

Birmingham B3 2PB, UK.
ISBN 978-1-84968-316-6
www.packtpub.com
Cover Image by Jackson Myers ()
Credits
Author
Mick Knutson
Reviewers
Antonio Gomes Rodrigues
Manjeet Singh Sawhney
Deepak Vohra
Acquisition Editor
Andrew Duckworth
Lead Technical Editor
Andrew Duckworth
Technical Editors
Merin Jose
Conrad Sardinha
Mehreen Shaikh
Copy Editor
Insiya Morbiwala
Project Coordinator
Theresa Chettiar
Proofreader
Joanna McMahon
Indexer
Hemangini Bari
Graphics
Valentina D'silva
Manu Joseph

Production Coordinator
ArvindKumar Gupta
Cover Work
ArvindKumar Gupta
About the Author
Mick Knutson, with nearly two decades of experience working in the IT industry in various
roles as Enterprise technology consultant, Java Architect, project leader, Engineer, Designer
and Developer, has gained a wide variety of experience in disciplines including Java EE,
Web Services, Mobile Computing, and Enterprise Integration Solutions.
Over the course of his career, Mr. Knutson has enjoyed long-lasting partnerships with
many of the most recognizable names in the Health Care, Financial, Banking, Insurance,
Manufacturing, Telecommunications, Utilities, Product Distribution, Industrial, and Electronics
industries employing industry-standard full software lifecycle methodologies, including the
Rational Unied Process (RUP), Agile, SCRUM, and Extreme Programming (XP).
Mr. Knutson has led training courses and book publishing engagements, authored technical
white papers, and presented at seminars worldwide. As an active blogger and Tweeter, Mr.
Knutson has also been inducted in the prestigious DZone.com "Most Valuable Blogger" (MVB)
group, and can be followed at
, />mickknutson
and />Mr. Knutson is exceptional at team building and motivating both at a peer-to-peer level and in
a leadership role. He demonstrates excellent communications skills and the ability to adapt to
all environments and cultures with ease.
Mr. Knutson is President of BASE Logic, Inc., a software consulting rm focusing on
Java-related technologies and development practices, and training for enterprise development.
Mr. Knutson has been a strategic member of Comcast, for Wayne Ramprashad, helping
to design and deploy the next generation IVR to align the One Customer Experience and
deect millions in quarterly operational costs. This opportunity helped foster many real world
challenges and solutions used indirectly in many of the recipes included in this book.
Acknowledgement
There were several individuals and companies that offered great support in the creation of

this book. Rich Highland, Claus Ibsen, and Jonathan Anstey of FuseSource. Atlassian supplied
a license of Clover for code coverage. Eviware supported many recipes with a license of
soapUI Pro. Jetbrains supplied a license of IntelliJ IDEA editor. MadeForNet supplied a license
of HTTP Debugger. Vandyke Software supplied licenses for SecureCRT and SecureFX. YourKit
supplied a license for the YourKit proler.
Visual Paradigm assisted me with the use of their UML modeling suite that was instrumental
in writing this book, as well as a powerful tool I have recommended and used on many
projects to describe, design and detail all aspects of the software development lifecycle.
Bhavin Parikh assisted in many of the soapUI recipes in this book. Mr. Parikh is a
Senior Consultant and Scrum Master, currently employed at Valtech and has more than
13 years of extensive software development experience in OOP, Java, J2EE, web services,
database, and various middleware and enterprise technologies. Mr. Parikh holds a Master's
degree in Computer Science from Penn State University, and he spoke on data mining at the
13th International Conference on Intelligent and Adaptive Systems and Software Engineering.
Jim Leary of CloudBees assisted with Jenkins and cloud deployment recipes. Mr. Leary has
over 30 years of experience in the information technology eld. Over half his career has
involved working with web-based technologies across a wide swath of frameworks, platforms,
and languages. He has held positions as a software developer, manager and architect in a
variety of industries including high technology, nancial services and energy.
Shawn Northart assisted in Munin and rewall recipes. Mr. Northart moved to San Jose in
2003 after serving various technical support and system administration roles for several
ISPs in and around Sacramento. In managed hosting, he honed his system administration
skills working with Apache, PHP, and MySQL on the FreeBSD and Linux platforms. He has also
worked extensively with designing, implementing, and tuning web-server farms, both large and
small, for a number of high-trafc websites.
Justin Zealand assisted with the iOS section in Chapter 6, Enterprise Mobile Device
Integration. Justin is an independent contractor with over a decade of programming
experience in Java-based web systems and more recently native mobile platforms,
including iOS and Android. Justin has worked at major companies across a wide range
of industries and across many Internet technology disciplines.

Friends and family: I would like to thank my mother for teaching me how to work hard and
how one must sometimes make sacrices to achieve one's goals. I would like to thank my
father for giving me the motivation to persevere against all odds. This book would not have
been possible without the support of all of my friends throughout the entire process.
About the Reviewers
Antonio Gomes Rodrigues earned his Master's degree at the University of Paris VII
in France. Since then, he has worked at various companies with Java EE technologies in
the roles of developer, technical leader, technical manager of offshore projects, and
performance expert.
He is currently working on performance problems in Java EE applications, in a
specialized company.
I would like to thank my wife Aurélie for her support.
Manjeet Singh Sawhney currently works for a major IT services, business solutions, and
outsourcing company in London (UK) as an Information Management Consultant. Previously, he
has worked for other global organizations in various technical roles, including Java development
and technical solutions consulting. Even though Manjeet has worked across a range of
programming languages and technologies, his core language is Java. During his postgraduate
studies, he also worked as a Student Tutor for one of the top 100 universities in the world where
he was teaching Java to undergraduate students and marked exams and project assignments.
Manjeet acquired his professional experience by working on several mission-critical projects
serving clients in the Financial Services, Telecommunications, Manufacturing, and Public Sector.
I am very thankful to my parents, my wife Jaspal and my son Kohinoor for
their encouragement and patience as reviewing this book took some of my
weekends from the family.
Deepak Vohra is a consultant and a principal member of the NuBean.com software
company. Deepak is a Sun Certied Java Programmer and Web Component Developer,
and has worked in the elds of XML and Java programming, and J2EE for over ve years.
Deepak is the co-author of the Apress book Pro XML Development with Java Technology and
was the technical reviewer for the O'Reilly book WebLogic: The Denitive Guide. Deepak was
also the technical reviewer for the Course Technology PTR book Ruby Programming for the

Absolute Beginner, and the technical editor for the Manning Publications book Prototype and
Scriptaculous in Action.
Deepak is also the author of the Packt Publishing books JDBC 4.0 and Oracle JDeveloper for
J2EE Development, Processing XML documents with Oracle JDeveloper 11g, and EJB 3.0
Database Persistence with Oracle Fusion Middleware 11g.
www.PacktPub.com
Support les, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support les and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub les
available? You can upgrade to the eBook version at www.PacktPub.com and as a print book
customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@
packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a
range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library.
Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
f Fully searchable across every book published by Packt
f Copy and paste, print and bookmark content
f On demand and accessible via web browser
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib
today and view nine entirely free books. Simply use your login credentials for immediate access.
Instant Updates on New Packt Books
Get notied! Find out when new books are published by following @PacktEnterprise on Twitter,
or the Packt Enterprise Facebook page.

Table of Contents
Preface 1

Chapter 1: Out with the Old, In with the New 7
Introduction 7
Pruning old APIs 8
In with the new 13
Implementing Java Contexts and Dependency Injection (CDI) 14
Understanding the EJB 3.1 specication 17
Understanding the JPA 2.0 specication 21
Understanding the JAX-RS 1.1 specication 25
Understanding the Servlet 3.0 specication 27
Understanding the WebBeans 1.0 specication 30
Understanding the JSF 2.0 specication 30
Understanding Bean Validation 32
Understanding proles 34
Chapter 2: Enterprise Persistence 37
Introduction 37
Understanding @CollectionTable 38
Auditing previous JPA Operations 42
Auditing historical JPA Operations 44
Proling and testing JPA Operations 53
Chapter 3: Security 65
Introduction 65
Performing authentication in Java EE 68
Authorization in Java EE 77
Enforcing security in Enterprise Applications 80
Programmatic security and annotations in Java EE 84
Securely signing JAR artefacts 89
Conguring Linux rewall rules 93
ii
Table of Contents
Securely obfuscating Java byte-code 101

Minication and obfuscation of web resources 108
Chapter 4: Enterprise Testing Strategies 115
Introduction 115
Remote debugging of Java EE applications 116
Testing JPA with DBUnit 120
Using Mock objects for testing 130
Testing HTTP endpoints with Selenium 143
Testing JAX-WS and JAX-RS with soapUI 152
Chapter 5: Extending Enterprise Applications 169
Introduction 169
Integrating Groovy into Enterprise Applications 170
Integrating Jython into Enterprise Applications 178
Integrating Scala into Enterprise Applications 181
Weaving AspectJ advice into Enterprise Applications 184
Weaving AspectJ advice into existing libraries 187
Adding advice with CDI Decorators 190
Adding advice with CDI Interceptors 194
Chapter 6: Enterprise Mobile Device Integration 201
Introduction 201
Evaluating mobile framework projects 202
Native application considerations 209
Leveraging mobile design tools 215
Testing mobile-web applications with online emulators 223
Setting up a local Apache environment 228
Native SDK development considerations 236
Chapter 7: Deployment and Conguration 239
Introduction 239
Java EE conguration with CDI 240
Java EE conguration with Groovy 244
Enabling remote JMX on Tomcat server 248

Enabling JMX over SSL on Tomcat server 256
Enabling remote JMX on GlassFish server 260
Enabling JMX over SSL on GlassFish server 268
Using JRebel for rapid redeployment 273
Managing VisualVM application repository conguration 281
Chapter 8: Performance and Debugging 285
Introduction 285
Proling memory with jVisualVM 286
iii
Table of Contents
Using jstatd to enable Visual GC 293
Proling applications with Netstat 299
Proling TCP connections with TCPMon 307
Monitoring application and server performance with Munin 310
Debugging HTTP connections with HTTP Debugger 316
Index 323

Preface
Java Platform, Enterprise Edition is a widely used platform for enterprise server programming
in the Java programming language.
This book covers exciting recipes on securing, tuning, and extending Enterprise Applications
using a Java EE 6 implementation.
The book starts with the essential changes in Java EE 6. Then we will dive into the
implementation of some of the new features of the JPA 2.0 specication, and look at
implementing auditing for relational data stores. There are several additional sections that
describe some of the subtle issues encountered, tips, and extension points for starting your
own JPA application, or extending an existing application.
We will then look into how we can enable security for our software system using Java EE
built-in features as well as using the well-known Spring Security framework. We will then look
at recipes on testing various Java EE technologies including JPA, EJB, JSF, and web services.

Next we will explore various ways to extend a Java EE environment with the use of additional
dynamic languages as well as frameworks.
The book then covers recipes that touch on the issues, considerations, and options related to
extending enterprise development efforts into mobile application development.
At the end of the book, we will cover managing Enterprise Application deployment and
conguration, and recipes that will help you debug problems and enhance the performance
of your applications.
What this book covers
Chapter 1, Out with the Old, In with the New: This chapter is not a tutorial or primer on the
various specications, but rather aimed at giving a high-level summary of the key changes in
the Java EE 6 release. The focus will be directed on how these new features will simplify your
development, as well as how to improve your application performance.
Preface
2
Chapter 2, Enterprise Persistence: In this chapter, we will dive into the implementation of
some of the new features of the JPA 2.0 specication, and look at implementing auditing for
relational data stores. There are also several additional sections that describe some typical
issues encountered, further tips, and extension points for starting your own JPA application,
or extending an existing application.
Chapter 3, Security: In this chapter, we will look into how we can enable security for our
software system using Java EE built-in features as well as using the well-known Spring
Security framework, which is a widely accepted framework for more ne-grained security
implementation.
Chapter 4, Enterprise Testing Strategies: This chapter covers a wide range of testing
techniques to employ in the Enterprise. We cover testing-related recipes for testing various
Java EE technologies, including JPA, EJB, JSF, and web services.
Chapter 5, Extending Enterprise Applications: In this chapter, we will explore various ways
to extend a Java EE environment with the use of additional dynamic languages as well as
frameworks.
We start with a recipe using Groovy as a dynamic language integrating to existing Java code,

then move to examples with Scala, followed by a recipe to integrate AspectJ aspect weaving
into an existing application.
We will then end this chapter with two standard Java EE 6 extensions, the Decorator and
Interceptor. These are new CDI features that have similar capability and extensibility as we
might get from Aspects.
Chapter 6, Enterprise Mobile Device Integration: This chapter will cover recipes that touch on
the issues, considerations, and options related to extending Enterprise development efforts
into mobile application development.
Chapter 7, Deployment and Conguration: In this chapter, we will cover issues and solutions
to application conguration. The solutions described will cover the use of standard Java EE
APIs to access external properties les, as well as Groovy-based conguration scripts.
Advanced conguration topics will be covered using the Java Management Extensions (JMX)
including detailed conguration and recipes explaining the use of tools to connect to a
JMX service.
This chapter will also cover tools to aid in rapid and hot-deployment of Java EE applications
through a development IDE or existing build tool such as Apache Ant or Apache Maven.
Chapter 8, Performance and Debugging: This chapter consists of recipes for solving issues
related to the performance and debugging of Java EE applications. The solutions described
will help in understanding performance-related issues in a Java EE application and ways
to identify the cause. Performance topics that will be covered include proling application
memory, TCP connections, server sockets, and threading-related problems that can face any
Java application.
Preface
3
This chapter will also cover how to leverage tools for debugging web service payloads as well
as ways to extend the capabilities of those tools. Additionally, we will cover leveraging tools to
debug network-related issues, including proling TCP, HTTP, and HTTPS-based connections.
We nish the chapter by leveraging tools for application server monitoring to get a better
understanding of the health and performance of a live application and the server it runs on.
What you need for this book

The recipes in this book are of an intermediate to advance nature, so a good understanding of
Java is required. All the recipes contain references to the required tools and/or SDKs that are
used in each recipe. Many recipes are referencing a specic Java EE 6 container, but any Java
EE 6-complient container would sufce.
Who this book is for
This book is aimed at Java developers and programmers who want to secure, tune, and
extend their Java EE applications.
Conventions
In this book, you will nd a number of styles of text that distinguish between different kinds of
information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: " The
@CollectionTable annotation can be added
to a Collection<T> or a Map<K, V> entity attribute."
A block of code is set as follows:
@ElementCollection
@CollectionTable(name = Constants.HOBBIES,
joinColumns = @JoinColumn(name = Constants.CUSTOMER_ID))
@Column(name = Constants.HOBBY_NAME, nullable = true)
private Collection<String> hobbies = new HashSet<String>();
When we wish to draw your attention to a particular part of a code block, the relevant lines or
items are set in bold:
@OneToMany(cascade = {CascadeType.ALL},
fetch = FetchType.EAGER,
mappedBy = Constants.AUDIT_ENTRY)
private Collection<AuditField> fields;
Preface
4
Any command-line input or output is written as follows:
classpath group: 'com.yahoo.platform.yui',
name: 'yuicompressor', version: '2.4.6'

classpath group: 'org.mozilla',
name: 'rhino', version: '1.7R3
New terms and important words are shown in bold. Words that you see on the screen, in
menus or dialog boxes for example, appear in the text like this: "You just need to click on
the YourKit icon."
Warnings or important notes appear in a box like this.
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this
book—what you liked or may have disliked. Reader feedback is important for us to develop
titles that you really get the most out of.
To send us general feedback, simply send an e-mail to , and
mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or
contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to
get the most from your purchase.
Downloading the example code
You can download the example code les for all Packt books you have purchased from your
account at . If you purchased this book elsewhere, you can
visit and register to have the les e-mailed directly
to you.
Preface
5
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen.
If you nd a mistake in one of our books—maybe a mistake in the text or the code—we would be
grateful if you would report this to us. By doing so, you can save other readers from frustration
and help us improve subsequent versions of this book. If you nd any errata, please report them

by visiting selecting your book, clicking on the errata
submission form link, and entering the details of your errata. Once your errata are veried, your
submission will be accepted and the errata will be uploaded to our website, or added to any list
of existing errata, under the Errata section of that title.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt,
we take the protection of our copyright and licenses very seriously. If you come across any
illegal copies of our works, in any form, on the Internet, please provide us with the location
address or website name immediately so that we can pursue a remedy.
Please contact us at
with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at if you are having a problem with any
aspect of the book, and we will do our best to address it.

1
Out with the Old,
In with the New
In this chapter, we will cover:
f Pruning old APIs
f In with the new
f Implementing Java Context and Dependency Injection (CDI)
f Understanding the EJB 3.1 specication
f Understanding the JPA 2.0 specication
f Understanding the JAX-RS 1.1 specication
f Understanding the Servlet 3.0 specication
f Understanding the WebBeans 1.0 specication
f Understanding the JSF 2.0 specication
f Understanding Bean Validation

f Understanding proles
Introduction
The goal of this book is to describe recipes for securing, tuning, and extending enterprise
applications using a Java EE 6 implementation. First, I want to cover some essential changes
in Java EE 6, then later employ some of these changes in recipes that are sure to help you
make a more secured and robust application.
Out with the Old, In with the New
8
This chapter is not a tutorial or primer on the various specications, but rather aimed at giving
a high level summary of the key changes in the Java EE 6 release. The focus will be directed
on how these new features will simplify your development, as well as how to improve your
application performance. However, if you wish to dive straight in, then feel free to skip this
chapter with the ability to return to it for reference.
Pruning old APIs
Before diving into new APIs, we need to understand what has been marked for removal in
Java EE 6.
Java EE was rst released in 1999 and has had new specications added to each release.
Until Java EE 6, no specications were removed or marked for removal. Over the years, there
have been some features that were not well supported or widely adopted, because they were
technologically outdated or other alternatives were made available. Java EE 6 has adopted a
pruning process (also known as marked for deletion). This process has already been adopted
by the Java SE group. None of the proposed items marked will actually be removed from Java
EE 6, but could be removed from Java EE 7.
1. To begin with, let's look at the relationships among the Java EE containers:
Chapter 1
9
2. Next, we examine the availability of the Java EE 6 APIs in the web container:
The green boxes denote the new APIs added to Java EE 6.
3. Next, we examine the availability of the Java EE 6 APIs in the EJB container:
The green boxes denote the new APIs added to Java EE 6.

Out with the Old, In with the New
10
4. Next, we examine the availability of the Java EE 6 APIs in the application client:
The green box denotes the new API added to Java EE 6.
We will now cover each of the items marked for deletion, why it was marked for deletion, and
what will be replacing the pruned specication.
Pruning JAX-RPC
JAX-RPC is an early implementation for web services' interoperability across heterogeneous
platforms and languages. JAX-RPC was a great initial implementation, and the JAX-RPC team
has done an amazing job of creating this reference implementation. However, when the
project started, there were few reference implementations to partner with, such as JAXB.
Since the 1.x life span of JAX-RPC, there have been many specications that have gained
momentum, and the JAX-RPC team has used the knowledge learned from 1.x, as well as the
widely available and adopted standards, to transform JAX-RPC 1.x into JAX-RPC 2.0.
While this might sound like a major release, it is much more than that. With the advent of
JAX-RPC, the team, for many reasons, has decided to rename JAX-RPC 2.0 to JAX-WS 1.0. But
the really exciting part of the team's efforts is the adoption of JAX-WS by Java EE 6. We will be
exploring the JAX-WS specication in more detail later in this chapter, and in later recipes.
Why was it marked for deletion?
JAX-RPC version 1.1 was marked for deletion in Java EE 6. However, JAX-RPC version 2.0 was
actually renamed to JAX-WS version 2.0. There are a few reasons for this renaming:
f One reason is that the JAX-RPC name is misleading. Developers assume that all JAX-
RPC code is Remote Procedure Calls (RPC), not Web Services.
f Another important reason is, JAX-RPC 1.x does not use JAXB. The rst version of
JAX-RPC was completed before JAXB was released. The JAX-RPC writers developed a
custom mapping solution instead.
f By maintaining binary compatibility with the JAX-RPC 1.1, APIs would hinder the goal
of ease-of-development.